Encryption for HIPAA Compliance

It can be hard to visualize abstract concepts, so let’s pretend that the inside of your house is transmitted data. To make sure people don’t enter without your permission, you likely use a lock on the front door. Think of this like encryption.

Unfortunately, even with a lock, criminals may try to bust your door in with brute force to access the valuables inside. As tools to accomplish this continue to improve, the need for powerful protection is greater than ever.

Encryption may seem complicated at first, but understanding the basics is easy. In this article, we’ll cover the basics so you can better gauge the strength of your organization’s encryption measures.

What are the basics of Encryption?

As mentioned above, encryption is like a lock that protects your sensitive data from prying eyes. The process begins with readable data known as plaintext. This process randomizes the data into ciphertext so it’s completely unreadable.

In order to decrypt the data and return it to its readable state, the recipient must have the cryptographic key. In terms of a house, this is like the key to the front door. 

When using encryption-based messaging or data transfer systems, the intended recipient should be the only one who has the encryption key. This generally requires no input from the intended recipient.

Instead of lockpicks, hammers, or other such tools, cybercriminals seeking to break encryption use powerful computers. This is why powerful encryption keys are essential.

Encryption In-Depth

Encryption methods are generally identifiable by two features: key length and encryption type. The key length is determined by the number of characters – or bits – present in the key. 128- and 256-bit are the most common lengths. 

The encryption type is a bit more complicated, so let’s cover the categories before diving in

There are two categories of encryption, symmetric and asymmetric. Symmetric uses the same key to encrypt and decrypt data. Asymmetric uses different keys to encrypt and decrypt data.

The various types of encryption fall into these two categories. Let’s cover the ones ChartRequest hand-selected to protect medical records from potential cybercriminals.

ChartRequest uses industry-leading data protection and military-grade security policies combined with full 256-bit SSL encryption and 2048-bit private keys and AES multi-layered encryption for all documents and data, both at rest and in transit.

First, AES is a symmetric block cipher used by the United States government to encrypt sensitive information. In a feature for ComputerWorld, Joe Moorcones, SafeNet vice president, stated, “AES, which typically uses keys that are either 128 or 256 bits long, has never been broken.”

SSL is a hybrid type of encryption that uses an asymmetric public and private key pair that perform a “handshake” when a device attempts to connect to an encrypted server to establish a secure session. Within this session, encryption for exchanged data is symmetric. 

What are the Security Rule Requirements?

The requirements for compliance with the HIPAA Security Rule are broken down into 3 categories. These are administrative safeguards, technical safeguards, and administrative safeguards.

What are the Security Rule Technical Safeguards

Encryption of protected health information falls under the technical safeguards. The technical safeguards fit into 5 sections. In order to be compliant with the technical safeguards of the HIPAA Security Rule, covered entities and business associates must: 

  1. Implement policies that only allow access to systems that store protected health information to authorized users and software programs. This must use essential implementation specifications. These include creating unique user identification identifiers, an emergency access procedure, automatic logoff, and PHI encryption and decryption.
  2. Implement audit controls to log activity performed within information systems that house protected health information. This helps HHS to determine the root cause of each breach and whether an unauthorized individual accessed PHI.
  3. Ensure the integrity of medical information by implementing policies and procedures to prevent unauthorized individuals from editing or deleting PHI. This includes mechanisms to help guarantee that records have not been altered.
  4. Authenticate requestors’ identities before disclosing their electronic protected health information. Sending patient medical information to the wrong individual constitutes a HIPAA breach, and this is essential due diligence.
  5. Implement transmission security measures to ensure unauthorized individuals don’t breach PHI in transmission. This includes encrypting protected health information during the exchange.

Encryption and the Technical Safeguards

As you likely noticed, the technical safeguards don’t specify encryption requirements. This allows healthcare organizations of all sizes to customize their security measures based on their capabilities. 

This can make it difficult to be certain that your security measures are adequate, however. Insufficient security can lead to medical record breaches and steep HIPAA penalties

Don’t leave HIPAA compliance to chance, be sure that your record exchange is compliant with ChartRequest. 

Want to learn about our HIPAA compliance measures? Click here to check out our white paper!

While transmitting medical records via fax may be a habit, remember that faxes aren’t encrypted. This means that anybody who intercepts the fax will be able to view the contents.

Reduce your chance of medical record breaches by using the most secure record exchange platform available, and create your ChartRequest account today!